Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alfacleaner; Possible Culprit


  • This topic is locked This topic is locked
18 replies to this topic

#1 fanatacist

fanatacist

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:NJ, USA
  • Local time:01:26 PM

Posted 28 March 2006 - 05:22 PM

Hello, thank you for reading this.

I am having some problems with my PC. I have issues logging on more than one person on Windows XP Professional SP1. I also have chronic problems with online programs, mainly games installed on my computer.

I have followed all the steps in the preparation guide.

Spybot gives no new entries.
Ad-aware and the VX2 add-on also give no new entries.
Housecall and Bitdefender both deleted one or two seperate entries.

Activescan gave the following file:

Adware:adware/alfacleaner Windows Registry

I have searched for "alfacleaner" in Google and in these forums, and have found nothing that has helped remove or identify the Windows Registy key. I am pretty certain it is the reason for my problems in terms of online programs and possibly even the user logging issues.

I removed a virus identified by Activescan as "Haxdoor.IJ" recently as well, so that may also be part of the problem. After Googling this virus name online, there were no matches to multiple variants that I tried, except other Haxdoor variants.

This is the HJT log that I got right now. I turned off every process that I could besides HijackThis itself:

---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:17:20 PM, on 3/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

---------------------------------------

The (file missing) entries I have tried to remove in Safe Mode more than once, and they do not go away.

Any help, advice, or references would be greatly appreciated! I hope you find the information provided to be sufficient. If not, please notify me. Thank you in advance!
Posted Image

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:26 PM

Posted 01 April 2006 - 04:03 PM

Hello fanatacist!

Before we start, you need to realise that you are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG, Avira OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Zonealarm, Agnitum Outpost Free OR Kerio are FREE firewalls.
Understanding and using firewalls

Please download fanatacistfix.bat that is attached to this post. Please save it to your desktop then double click on the file to open it. It will run then close.

After completing that please post a new HJT from Normal mode.

David

#3 fanatacist

fanatacist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:NJ, USA
  • Local time:01:26 PM

Posted 01 April 2006 - 10:21 PM

Hello and thank you, David!

I used to run AVG before I re-installed Windows in December. I didn't think it was so necessary past the other scanners, so I didn't re-install it. Thank you for your advice! I ran AVG and found/deleted 2 viruses.

Both SpyBot and Ad-Aware found no infections.

I use the built-in Firewall. Should I use one of the ones you listed instead?

I ran the first log from Normal mode as well. I don't know if you were inferring that I wasn't (I'm not very good at English). I couldn't turn off all the processes because I needed to keep some running, sorry! This one is also from Normal mode:

---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:13:09 PM, on 4/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
D:\StealthBot\StealthBot v2.6R3.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

---------------------------------------

I ran the .bat file you added before this scan. Did it look for and/or delete possible files that are the cause of this? I'm just curious.

Thanks again for your help! I look forward to your response. Have a good night.
Posted Image

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:26 PM

Posted 02 April 2006 - 02:41 AM

Hello!

Good job so far....The bad 023 service is now gone. AVG is another good choice, it's the AV i use and i rate it highly. Whether you install another firewall or not is your choice, but I would recommend Zonealarm free deition. XP's built in firewall doesn't give adequate protection in my opinion.

One other thing I see is traces of Prevx Agent internet security. I would imagine you tried to remove it a while back because the files are missing, however some leftovers remain. Please download fanatacistfix2.bat that is attached to this post. Please save it to your desktop then double click on the file to open it. It will run then close.

Reboot and post a new HJT log. Also can you tell me anything about this entry in your running processes?:
D:\StealthBot\StealthBot v2.6R3.exe

David

#5 fanatacist

fanatacist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:NJ, USA
  • Local time:01:26 PM

Posted 02 April 2006 - 08:21 AM

Hello once more!

StealthBot 2.6 Revision 3 is a bot that simulates certain Blizzard games by connecting to the server using the hash files from the games. It's primarily used got chatting, trivia, clan moderation, etc. I've been using it for a year or so now, and voluntarily. I don't think it's tied to any malware. Here are two links if you want to know more:
StealthBot home
Wikipedia entry on StealthBot

This is a fresh HJT log after running the .bat file and restarting.

---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:12:58 AM, on 4/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

---------------------------------------

Thank you!
Posted Image

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:26 PM

Posted 02 April 2006 - 08:27 AM

I see a clean log! How is the system running, how does it feel to you?
David

#7 fanatacist

fanatacist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:NJ, USA
  • Local time:01:26 PM

Posted 02 April 2006 - 08:35 AM

The logging issues aren't present anymore. I need to reinstall the programs that were giving me trouble in order to check if the conditions there improved. I'll get back to you shortly.

Thank you for all your help :D!
Posted Image

#8 fanatacist

fanatacist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:NJ, USA
  • Local time:01:26 PM

Posted 02 April 2006 - 08:50 AM

On the first attempt, the programs lagged, but after I closed a few processes the problem was resolved. I think I'm set now.

I can't stress how much better I feel. Thank you so much for your help, advice, and efforts!
Posted Image

#9 fanatacist

fanatacist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:NJ, USA
  • Local time:01:26 PM

Posted 02 April 2006 - 09:31 AM

Sorry to re-open this, but Activescan still finds the Alfacleaner key in the Windows Registry. How do I identify/get rid of it?
Posted Image

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:26 PM

Posted 02 April 2006 - 10:38 AM

No worries at all....I'm here whenever you need me.
Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.

RegSearch Options File

[Search]
Alfacleaner
Alfa cleaner
[Exclude]

[Options]
Filter=KVDLUI


Download Registry Search and extract it. Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here.

David

#11 fanatacist

fanatacist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:NJ, USA
  • Local time:01:26 PM

Posted 02 April 2006 - 12:47 PM

I ran RegSearch and it successfully loaded "Alfacleaner" and "Alfa cleaner" from Options.txt. Upon running a check, however, this issue popped-up:

Posted Image

Nothing else happened.
Posted Image

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:26 PM

Posted 02 April 2006 - 01:45 PM

Hello again fanatacist!

Interesting error there. The created of the program, Bobbi Fleckman, oftens comes on this site, but only in the mornings. I will ask him what he knows of the error and how it can be fixed. In the meantime, there is another scanner that works in a very similar way.

Please go to this site:
http://billsway.com/vbspage/

Scroll down the page to the "Registry Search Tool" link and click on it. Download the VBS script and save it to your desktop. Open the script and in the input box type:

alfacleaner <--then hit enter.

After a while (might be quite a long time) a log should appear in notepad. Please copy and paste that log back here.

David

#13 fanatacist

fanatacist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:NJ, USA
  • Local time:01:26 PM

Posted 02 April 2006 - 02:14 PM

Hello David!

Thank you for passing along the error information.

The script did not take that long, perhaps 30 seconds. What a great tool! Thank you for showing me this. Beofre I had to rely on Google to delete problematic Registry Keys. Here is the log from RegSrch:

---------------------------------------

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "alfacleaner" 4/2/2006 2:09:35 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-20\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-20\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-21-1292428093-1757981266-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-21-1292428093-1757981266-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-21-1292428093-1757981266-682003330-1003\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-21-1292428093-1757981266-682003330-1003\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-21-1292428093-1757981266-682003330-1003_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-21-1292428093-1757981266-682003330-1003_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

---------------------------------------

Thank you!
Posted Image

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:26 PM

Posted 02 April 2006 - 04:33 PM

Hello fanatacist

These alphacleaner entries are perfectly fine. They are in your ZoneAlarm list of blocked websites, which is actually a good thing!

Activescan is therefore reporting a false positive and there is nothing to be worried about. How is the computer running?

David

#15 fanatacist

fanatacist
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:NJ, USA
  • Local time:01:26 PM

Posted 02 April 2006 - 08:00 PM

That's great!

Actually, everything is near perfect. I have explorer.exe crashes periodically, but I think that's from previous damage and I'll have to replace the file itself with the Repair CD, and see how that works out. It's not really a serious problem.

The programs that did not work properly before are now fine, if I don't use WinAmp while running them. Though before I could do both, it might be an update to either that makes them react like they do. Again, it's not a problem.

So, unless you have any advice on explorer.exe, I think I'm now finally set. I did a run in ActiveScan, Spybot and Ad-aware, all came out clean or with nothing new.

Thank you very much once more for your time, advice, and effort!

Edited by fanatacist, 02 April 2006 - 08:01 PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users